diff options
author | benjamin.dauvergne <benjamin.dauvergne@a716ebb1-153a-0410-b759-cfb97c6a1b53> | 2012-02-17 14:01:24 +0000 |
---|---|---|
committer | benjamin.dauvergne <benjamin.dauvergne@a716ebb1-153a-0410-b759-cfb97c6a1b53> | 2012-02-17 14:01:24 +0000 |
commit | ce1a5d08aa3aa1e78b3bcf3a76915c875f37f8cb (patch) | |
tree | 65d0881f51ee87cfe38738c260e8bf32ae43f26f /auth_mellon_handler.c | |
parent | 10e252281585a8a84b6be49ebca1e293aea78000 (diff) | |
download | mod_auth_mellon-ce1a5d08aa3aa1e78b3bcf3a76915c875f37f8cb.tar.gz mod_auth_mellon-ce1a5d08aa3aa1e78b3bcf3a76915c875f37f8cb.tar.xz mod_auth_mellon-ce1a5d08aa3aa1e78b3bcf3a76915c875f37f8cb.zip |
Add directive MellonSubjectConfirmationDataAddressCheck
MellonSubjectConfirmationDataAddressCheck allows to block client address
checking as given in IdP assertion in the SubjectConfirmationData node,
it can be necessary when client and IdP or SP are in a NAT-ed network or
when the SP is behind a reverse proxy.
git-svn-id: https://modmellon.googlecode.com/svn/trunk@152 a716ebb1-153a-0410-b759-cfb97c6a1b53
Diffstat (limited to 'auth_mellon_handler.c')
-rw-r--r-- | auth_mellon_handler.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c index e1d4c3b..abbdab0 100644 --- a/auth_mellon_handler.c +++ b/auth_mellon_handler.c @@ -1150,6 +1150,7 @@ static int am_validate_subject(request_rec *r, LassoSaml2Assertion *assertion, apr_time_t t; LassoSaml2SubjectConfirmation *sc; LassoSaml2SubjectConfirmationData *scd; + am_dir_cfg_rec *cfg = am_get_dir_cfg(r); if (assertion->Subject == NULL) { /* No Subject to validate. */ @@ -1226,7 +1227,7 @@ static int am_validate_subject(request_rec *r, LassoSaml2Assertion *assertion, } } - if (scd->Address) { + if (scd->Address && CFG_VALUE(cfg, subject_confirmation_data_address_check)) { if (strcasecmp(scd->Address, r->connection->remote_ip)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Wrong Address in SubjectConfirmationData." |